Zopa is a new authorization engine designed to fill the gap for a compact and efficient proxy-wasm filter. The existing solutions, such as OPA's wasm build, are often heavy and carry unnecessary overhead. Zopa, on the other hand, is a Zig wasm32-freestanding binary that weighs in at approximately 60KB. This significant reduction in size is achieved by separating the policy writing and evaluation processes, and by pushing the parser out of the wasm module.
Big Picture
Zopa assumes a clear separation of concerns between policy authors and evaluators. Policy authors write rules in Rego, which are then converted to Abstract Syntax Tree (AST) JSON. The AST is handed to the wasm module as plugin config, and on each incoming request, Zopa evaluates and returns a decision.
Proxy-Wasm Refresher
Proxy-wasm is the ABI spec for filters in wasm used by Envoy and other hosts. The host calls into wasm exports at request milestones, and the wasm pulls header values back through host imports. Zopa implements proxy-wasm 0.2.1, which provides a standardized interface for filters.
Why It Fits in 60KB
The build process for Zopa is optimized to produce a small binary. The wasm32-freestanding target is used, which drops every file I/O and network stub. Additionally, Zig has no garbage collector, which eliminates the need for GC code and management metadata. The JSON parser is also hand-rolled, which reduces dependencies and keeps the binary size down.
Memory Model
Zopa's memory model is designed to be efficient and scalable. Two allocators are used, with different lifetimes and roles. The host_allocator is used for buffers that cross the host boundary, while the request_arena is used for per-request scratch space. The arena is reset at the end of each request, which eliminates the need for individual free calls and reduces memory growth.
Three-Phase Target Rules
Zopa makes decisions independently in three HTTP phases, each bound to a different target rule name. If a policy contains a rule with that name, the phase fires; if not, the phase passes through silently. The key point is that a policy with only an allow rule sails past the body and response phases untouched.
What Happens During One Request
When Envoy hands a single request to Zopa, the policy AST is handed to it once at startup and copied into the host allocator. Every phase ends with arena.reset, which carries no data across phase or request boundaries. The body and response phases only run eval when the matching rule exists, and the policy opts each phase in by writing a rule with that name.
Looking ahead, Zopa has the potential to become a widely adopted solution for authorization in proxy-wasm environments. Its compact size, efficient memory model, and standardized interface make it an attractive option for developers and operators alike. As the project continues to evolve, it will be interesting to see how it is used in real-world scenarios and what new features are added to enhance its functionality.
AI summary
Zopa, proxy-wasm için yazılmış 60 KB'lik bir izin motorudur. Rego dilini destekler ve hızlı izin kararları verir.
